Articles and video

You may find it helpful to read our articles on Windows security and password recovery examples. Video section contains a number of movies about our programs in action

Windows passwords FAQ

posted by Passcape_Admin at 15:27:13 05.10.2010

Q: What is password protection?

A: Perhaps no one would argue that Windows NT-based operating systems today are the most popular all over the world. That makes them very vulnerable targets for various kinds of hackers, intruders and dishonest users. The spread of the global network only exacerbates the situation. To ensure the personalization of stored user or system data and to protect it from unauthorized access by third parties, it was proposed to use the password protection technology. Currently, the primary protection in Windows operating systems is password protection. Access to private data in this case is possible only when user knows the original password, which is normally a word or phrase. Here is what it looks like in the real life: the program or system, on an attempt to access private data, prompts user for the text passwords. That password is checked against the original password, and, if the values match, the system allows access to the private data; otherwise, it denies access. The primary disadvantage of password protection is that the program or system must store the original password somewhere, in order to have something to compare the entered value with.

Q: How do operating systems store passwords?

A: But everything is not so bad; Windows NT was developed in a way that it wouldn't store the original text value of the password. "How is that?" You may ask. - Very easy. There are special cryptographic password wrapper algorithms that work one way only. That's why sometimes they are referred to OWF - one-way functions. Roughly, you can get the hash from a password, but there's no way to get the password from a hash. How does it work in Windows? When creating an account, user enters the original password, which, however, is not stored as plain text; instead, it is hashed with an OWF function. The password hash returned by the function will be stored in the system. Further on, when attempting to log on, the system will prompt user for the password; it hashes the password again and then compares the generated hash with the original one that is stored in the system. If the two values match, the passwords, naturally, match too. Thus, the original text password is not stored in the system. Moreover, there are new algorithms out there that do not even store hash, and the number of such algorithms keeps growing. An algorithm of such kind, for example, is used for encrypting passwords in Internet Explorer 7-8. You can learn more about it in our article.

Q: How do passwords become encrypted?

A: For hashing user passwords, Windows NT uses two algorithms: LM, which we have inherited from Lan Manager networks, which is based on a simple DES encryption, and NT, based upon the MD4 hashing function.LM, as the weaker and vulnerable one, is not supported by default by the latest Windows Vista and Windows 7; however, you can still enable it. It is important to know that when the LM hashing option is on (it is enabled by default in Windows XP), all user passwords are considered quite vulnerable. Cracking the majority of such passwords normally takes just a few minutes.
The NT hash is free from the disadvantages, common to the LM hash. Consequently, it is much harder to pick the right password to a known NT hash than to an LM hash. But the current trend of increasing the computing power of modern computers, especially when using GPU, possibly, will make this standard too vulnerable to potential attackers.

Q: Where are password hashes stored?

A: So, we have found out that user passwords in Windows systems are converted to special values - hashes. LM and NT hashes both have a fixed size - 16 bytes - and can be stored in two repositories: SAM - for the regular accounts and Active Directory - for domain accounts.SAM
The regular accounts that contain user name, password and other auxiliary information are stored in the Windows NT registry; precisely, in the SAM (Security Account Manager) file. That file is located on the hard disk, in the folder %windows%\system32\config. The %windows% stands for the path to your Windows folder. For example, С:\Windows\System32\Config\SAM.
The system has priority access to the SAM file, so access to the file is denied to anyone, even administrators, while the system is loaded; nevertheless, Windows Password Recovery bypasses that restriction with ease. Besides that, of great interest for a potential attacker would be the backup of the SAM.SAV file and the compressed archived copy of SAM in the folder %windows%\Repair.
Another way to access the SAM file is to launch a special program from a boot disk and then copy the file. Anyway you need a physical access to the computer with password hashes.
User passwords or, to be accurate, hashes are additionally encrypted with the SYSKEY utility, which stores its service data in the SYSTEM registry file. Thus, to extract hashes from SAM, you would also need the SYSTEM file, which is located in the same folder as SAM.Active Directory
Domain accounts are stored in the Active Directory database. Usually, the Active Directory database is located in the file %Windows%\ntds\NTDS.DIT; it is the core of Active Directory. The way user hashes are encrypted here is a bit different than that is in SAM, but the recovery would also require the SYSTEM file. Access to the database is also under the system's complete control; however, unlike SAM, the ntds.dit database is resistant to modifications from the outside.

Q: If everything is so easy, why not Windows simply deny access to SAM or Active Directory for all users?

A: That's the way it's done. By default, only the system has access to those files. However, these restrictions can be easily overridden. For example, Windows Password Recovery can import hashes from the current (locked by the system) SAM and Active Directory files. Besides, the system stores hashes in the computer memory to speed up access to them, so dumping the computer's memory is also an option.

Q: I didn't quite understand it; what do I need to copy from the computer to recover the passwords?

A: If that's a regular computer, copy the following registry files: SAM, SYSTEM (the SECURITY and SOFTWARE files are also desired). If that's a server, you will need the same files plus ntds.dit one.

Q: How long does it take to pick the password if the LM hash is available?

A: The greatest disadvantage of the LM algorithm is that it splits the password into halves of 7 characters long. If user enters a password that is shorter than 14 characters, the program trails it with zeros to get a 14-character long string. If user password exceeds 14 characters, the LM hash appears the same as for an empty password. Each of the 7-character halves is encrypted independently; that considerably eases and speeds up the password recovery process. Another major disadvantage of the LM hash relates to the fact that during the encryption all the alphabetic characters of the password are converted to uppercase. In other words, the hashes for PASSWORD, password, Password or pAsswOrd will be completely identical. By running a brute force attack against each half, modern personal computers can guess the password for an alphanumeric LM hash within a few minutes (or even seconds, when using the Rainbow attack). Let's do a bit of calculation. To recover a password for any alphanumeric combination, we need to split the password into two 7-character long parts and then search 36+32^2+..36^7=80 603 140 212 combinations. Besides, all the hashes will be searched simultaneously. The search speed in Windows Password Recovery on a computer Intel Core i7 is over 100 million passwords per second. Let's round it downward to 100. 80 603 140 212 / 100 000 000 = 806 seconds. That means, we are guaranteed to get the original alphanumeric password within just a bit over 10 minutes using the brute force attack.

Q: Can I see the encryption sources?

A: Sure. Let's review a working password encryption program for the LM algorithm.

Q: How much time is it required to guess the password if its NT hash is known?

A: With NT hashes it's a bit more complicated. The NT hash does not have the disadvantages that are common to LM. Therefore, the probability of the recovery of the password completely depends on its length and complexity, and drops like a snowball. Even despite the fact that the NT conversion algorithm is faster. Let's take a look at the following table that demonstrates the how search time depends on password length and complexity (assuming that the brute-force recovery speed is 100 mln passwords per second).

Character set

Password length

Password sample

Time to crack

A .. Z

5

CRUEL

instantly

A .. Z

6

SECRET

3s

A .. Z

7

MONSTER

1m 23s

A .. Z

8

BABYTOOLS

15.6h

A .. Z

9

COOLGIRL

36m 11s

A .. Z, 0 .. 9

5

COOL3

instantly

A .. Z, 0 .. 9

6

BANG13

22s

A .. Z, 0 .. 9

7

POKER00

13m 26s

A .. Z, 0 .. 9

8

LETMEBE4

8h 3m 37s

A .. Z, 0 .. 9

9

ILOVEU123

12.1d

A .. Z, a .. z, 0 .. 9

5

P0k3r

9s

A .. Z, a .. z, 0 .. 9

6

S3cr31

9m 37s

A .. Z, a .. z, 0 .. 9

7

DidIt13

9h 56m 33s

A .. Z, a .. z, 0 .. 9

8

GoAway99

25d 16h 26m 34s

A .. Z, a .. z, 0 .. 9

9

Cl3v3rB0y

4.3y (1592d)

Q: What's the difference between a regular brute-force and GPU brute-force attack?

A: There's no difference to the end user except that GPU brute-force runs several time faster. Or even tens times, depending on the hardware used. For example, nowdays even a schoolboy can build a GPU-based super PC which handles 10 billions passwords per second or even faster. So our table would look like this:

Character set

Password length

Password sample

Time to crack

A .. Z

5

CRUEL

instantly

A .. Z

6

SECRET

instantly

A .. Z

7

MONSTER

instantly

A .. Z

8

COOLGIRL

22s

A .. Z

9

BABYTOOLS

8m 24s

A .. Z, 0 .. 9

5

COOL3

instantly

A .. Z, 0 .. 9

6

BANG13

instantly

A .. Z, 0 .. 9

7

POKER00

8s

A .. Z, 0 .. 9

8

LETMEBE4

4m 50s

A .. Z, 0 .. 9

9

ILOVEU123

2h 54m

A .. Z, a .. z, 0 .. 9

5

P0k3r

instantly

A .. Z, a .. z, 0 .. 9

6

S3cr31

6s

A .. Z, a .. z, 0 .. 9

7

DidIt13

6m

A .. Z, a .. z, 0 .. 9

8

GoAway99

6,1h

A .. Z, a .. z, 0 .. 9

9

Cl3v3rB0y

16 d

Q: How much time is it needed to guess NT password by it's LM hash?

A: Almost instantly.

Q: Why can't I just remove or zero out the hash, i.e. set a blank password?

A: Who said you couldn't? You can. For instance, using this powerful utility. This way is just fine for those who need to regain access to their (or someone else's - e.g., when talking about the respective authorities) account at any cost. Moreover, with the above mentioned utility, you can do the following: remember the hash, then reset the hash, log on to the account with an empty password, do necessary manipulations with it, and then restore the remembered hash back. But that's not as simple as it seems. Even if you have reset the password and gained access to the account, you still won't be able to recover the majority of other passwords. Why? - Because the user password participates in the creation of the user's master key, which is used in the DPAPI and EFS encryption and other Windows subsystems. In other words, even if you reset the password, you will not be able to recover any of the following data: EFS-encrypted files, Outlook account passwords, Internet Explorer 7-9 passwords, network connection passwords (RAS, DSL, VPN etc.), network passwords to other computers, wireless network keys, MSN Messenger credentials, Google Talk & Google Chrome passwords, Skype, etc.

Q: So, in order to recover, for example, an Internet Explorer password, I would need to get the account password first, right?

A: Exactly. Or you should have a physical access to the already loaded and running user account.

Q: Are there any backdoors?

A: Like anywhere else. For example, sometimes the account password can be stored in the plain-text form in the secrets. Passwords to many system accounts can also be recovered with ease.

Q: Is that what the SECURITY registry file is requested for when importing hashes from the local computer?

A: Yes. The Security's main purpose is to be a storage for the so-called LSA Secrets. These secrets (but not they alone) can store plain-text passwords. Artificial Intelligence attack implements a check-up for possible vulnerabilities in the system and, as the consequence, chances to recover some passwords.

Q: Can I tuck an existing hash instead of the password when logging on to the system?

A: There are programs that do that. Here is how they work. Before booting up the system, they extract user password hashes from SAM. Then, when loading the account, they tuck the known hash instead of the password. However, the result of such manipulations is the same as of merely resetting the password; i.e. you won't be able to recover the majority of other passwords.

Q: What can I do if the SAM file is hopelessly corrupt? Is there a way to recover the original password in this case?

A: Yes, there is. However, you will no longer have access to the system. You can, for example, recover the password using the user's master key. Passcape Software has means for doing that. If the computer belongs to a domain, the names and hashed passwords of the last ten users are cached in its local system registry, in the SECURITY\Policy\Secrets section. You can take advantage of Reset Windows Password for dumping those hashes (they are also referred to as MSCACHE) and then try to decrypt them using Network Password Recovery Wizard.

Q: I need to regain access to my account. Would you draw a picture "for dummies" - what's the best way to do that, and how do I do that?

A: Briefly, there are two ways to regain access to an account:

Reset the password; e.g., make the password blank. There are special utilities for doing that; the most powerful one is Reset Windows Password. Its operation principle is simple. Run a boot disk creation program and create an Reset Windows Password boot CD/DVD or USB disk with it. Next, power on the computer with the account you need to regain access to and edit the BIOS settings to enable the computer to boot from CD/DVD /USB. Some computers have this option enabled by default. Now boot up from the Reset Windows Password boot disk and follow the wizard's instructions to reset the password to the account. However, resetting the password guarantees only access to the account. If you also need to regain access to EFS-encrypted files or recover other passwords (e.g., network ones), this method won't do for you.

Recover the original password. By the way, that can be done by that same Reset Windows Password, running the intellectual attack. However, its capabilities are limited by only weak and vulnerable passwords. For restoring the original password, it is recommended to use Windows Password Recovery. In this program, once the hashes are imported, select and launch one of the proposed attacks. If the attack did not succeed, you can alter the settings and run the attack over or replace it with another one. Read on to find out how to choose the best attack for your hashes.

Q: Where can I find word-lists for dictionary attacks?

A: It is not necessary to search it. You can download dictionaries from within the Windows Password Recovery. We have a huge set of dictionaries at our Web site.

Q: How do I make my password more secure?

A: There are several ways how you can secure yourself from picking your passwords by potential attackers:

Do not use dictionary words in any language, names, numbers, repetitive sequences of letters and numbers, abbreviations, keyboard combinations, personal information, etc. Such passwords can be guessed extremely fast and easy.

Increase password length. However, there is a reasonable limit for everything. Remember that length is not the main thing :) Finally, making up a too long password will cause you to successfully forget it after a weekend party or vacation. Besides that, an average human's memory cannot hold more than 5-7 passwords at a time. Still, there are network password, Web password, etc. - that are to be remembered also.

Extend the character set used in the password. For example, replace the 'а' characters in the password with the '@'. Using national characters also strengthens up passwords radically. Use uncommon characters; for instance, '~'. Do not use hard-to-remember passwords that consist of a random set of characters - unless you are a genius.

Do not use the same password for logging on to Windows, Web sites, services, etc.

If you have trouble remembering all your passwords, save them in a separate password-protected file in a safe place. A good password protection is implemented, for example, in the Rar archiver. Do not keep that file on the local computer.

Never enter your password on someone else's computer.

It's not a good idea to write down your passwords on sticky notes and stick those on the monitor.

Think about additional protection. For example, if you enable the SYSKEY startup password option, chances are close to 100% that not a single attacker will be able to break your passwords without having guessed the original SYSKEY password first.